Constant-time WebAssembly

As ever more applications are designed to run inside browsers and other JavaScript runtime systems, there is an increasing need for cryptographic primitives that can be used client-side. Unfortunately, securely implementing cryptographic primitives in high-level languages is extremely difficult—runtime system components such as garbage collectors and just-in-time compilers can trivially introduce timing leaks in seemingly secure code. We argue that runtime system designs should be rethought with such applications—applications that demand strong guarantees for the executed code—in mind. As a concrete step towards this goal, we propose changes to the recent WebAssembly language and runtime system, supported by modern browsers. Our Constant-Time WebAssembly enables developers to implement crypto algorithms whose security guarantees will be preserved through compiler optimizations and execution in the browser.